t 

We claim: 

1 . A compker program product embodied on computer readable media readable by a 
computing system in a computing environment, for enforcing security policy using style sheet 
processing, comprising: 

an input document; 

one or more stored policy enforcement objects, wherein each of said stored policy 
enforcement objects specifies a security policy to be associated with zero or more elements of said 
input document; \ 

a Document Type Definition (DTD) corresponding to said input document, wherein said 
DTD has been augmented with one or more references to selected ones of said stored policy 
enforcement objects; 1 

an augmented style sheet processor, wherein said augmented processor further comprises: 

computir-readable program code means for loading said DTD; 

computer-readable program code means for resolving each of said one or more 
references in said loadeolDTD; 

computerlreadable program code means for instantiating said policy enforcement 
objects associated with said resolved references; 

computer-npadable program code means for executing selected ones of said 
instantiated policy enforcement objects during application of one or more style sheets to said input 
document, wherein a resuhlof said computer-readable program code means for executing is an 
interim transient document neflecting said execution; 
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able program code means for generating one or more random 



computer-rea 
encryption keys; 

computer-reajiable program code means for encrypting selected elements of said 
interim transient document, \ /herein a particular one of said generated random encryption keys 
may be used to encrypt one or more of said selected elements, while leaving zero or more other 
elements of said interim trans ent document unencrypted; 

computer-reac able program code means for encrypting each of said one or more 
random encryption keys; and 

computer-readable program code means for creating an encrypted output 
document comprising said zeio or more other unencrypted elements, said selected encrypted 
elements, and said encrypted (sncryption keys; 

computer-readable pre gram code means for receiving said encrypted output document at a 
client device; 

an augmented documeit processor, comprising computer-readable program code means 
for decrypting said received ov tput document for an individual user or process on said client 
device, thereby creating a result document; and 

computer-readable program code means for rendering said result document on said client 

device. 



2. The computer program riroduct according to Claim 1, wherein said interim transient 
document comprises one or more encryption tags identifying elements needing encryption. 
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3. The computer program product according to Claim 1, wherein said input document is 
specified in an Extensible Ik4arkup Language (XML) notation. 

4. The computer program product according to Claim 3, wherein said output document is 
specified in said XML notation. 



5. The computer 
enforcement objects fiirthejr 
method for evaluating said 
program code means for 
executing said computer-r 



6. The computer 
specified in an Extensible 



program product according to Claim 1, wherein said stored policy 

comprise computer-readable program code means for overriding a 
elements of said input document, and wherein said computer-readable 
e}cecuting fixrther comprises computer-readable program code means for 
adable program code means for overriding. 



program product according to Claim 5, wherein said style sheets are 
: Stylesheet Language (XSL) notation. 



product according to Claim 6, wherein said method is a value-of 
on, and wherein said computer-readable program code means for 
overriding said value-of mjethod is by subclassing said value-of method. 



7. The computer program 
method of said XSL notat 



8. The computer projjram product according to Claim 5 or Claim 7, wherein: 
said overridden m<;thod comprises: 

computer-ieadable program code means for generating encryption tags; and 
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compu er-readable program code means for inserting said generated encryption 
tags into said interim t ansient document to surround elements of said interim transient document 
which are determined t3 require encryption; and 

said computer-readable program code means for encrypting selected elements encrypts 
those elements surrounded by said inserted encryption tags. 

9. The computer pi ogram product according to Claim 1, wherein each of said instantiated 
policy enforcement objects further comprises: 

a specification o: ■ a community that is authorized to view said elements associated with 
said security policy; and 

an encryption recmirement for said elements associated with said security policy. 

10. The computer pre gram product according to Claim 9, wherein said encryption 
requirement further comp ises specification of an encryption algorithm. 



11. The computer 
requirement further comprises 



program product according to Claim 9, wherein said encryption 
specification of an encryption algorithm strength value. 



12. The computer prog am product according to Claim 9, wherein: 

said computer-readple program code means for encrypting said encryption keys further 
comprises computer-readable program code means for encrypting a different version of each of 
said random encryption keys for each of one or more members of each of zero or more of said 
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communities which uses said encryption key, and wherein each of said diflFerent versions is 
encrypted using a public key of said community member for which said different version was 
encrypted. 



13. The computer 
requirement may have z 



encryption. 



ogram product according to Claim 9, wherein said encryption 

null value to indicate that said specified security policy does not require 



14. The computer 
program code means foi 
encryption process. 



ptfogram product according to Claim 1, wherein said computer-readable 
encrypting selected elements uses a cipher block chaining mode 



computer-reada 
community, wherein saic 
this unique community is 



15. The computer pr )gram product according to Claim 12, fiirther comprismg: 



e program code means for creating a key class for each unique 
key class is associated with each of said encrypted elements for which 
an authorized viewer, and wherein said key class comprises: (1) a 
strongest encryption requ irement of said associated encrypted elements; (2) an identifier of each 
member of said unique community; and (3) one of said different versions of said encrypted 



encryption key for each o 
wherein: 



random encryption keys g< 



said identified community members; and 



said compvter-readable program code means for generatmg said one or more 



lerates a particular one of said random encryption keys for each of 
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said key classes, and wheran each of said diflFerent versions in a particular key class is encrypted 
from said generated encryption key generated for said key class; and 

said computdr-readable program code means for encrypting selected elements uses 
that one of said particular ra idom encryption keys which was generated for said key class with 
which said selected element is associated, 

16. The computer program product according to Claim 12, wherein: 

said computer-readablje program code means for decrypting said output document further 
comprises: 

computer-read ible program code means for determining zero or more of said 
communities of which said individual user or process is one of said members; 

computer-readi ble program code means for decrypting, for each of said 
determined communities, said iiflferent version of said random encrytion key which was encrypted 
using said pubhc key of said oi e member, wherein said computer-readable program code means 
for decrypting uses a private key of said one member which is associated with said public key 

thereby creating a decrypted key; and 
computer-readal)le program code means for decrypting selected ones of said 
encrypted elements in said outp Jt document using said decrypted keys, wherein said selected ones 
of said encrypted elements are t lose which were encrypted for one of said determined 
communities; and 

said computer-readable program code means for rendering fiirther comprises: 



which was used for encryption, 
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computer-readable program code means for rendering said decrypted selected ones 
and said other unencrypted elements. 



17. The computer program 
said computer-readable 



roduct according to Claim 15, wherein: 

)rogram code means for decrypting said output document further 



comprises: 



computer-readab 



classes which identify said individual user or process as one of said members; 



computer-readab 



e program code means for determining zero or more of said key 



e program code means for decrypting, for each of said 



determined key classes, said diffijrent version of said random encrytion key in said key class which 
was encrypted using said public |cey of said one member, wherein said computer-readable 
program code means for decrypting uses a private key of said one member which is associated 
with said public key which was i sed for encryption, thereby creating a decrypted key; and 

computer-readab e program code means for decrypting selected ones of said 
encrypted elements in said output document using said decrypted keys, wherein said selected ones 
of said encrypted elements are tl ose which were encrypted for said key class; and 

said computer-readable J rogram code means for rendering further comprises: 

computer-readab te program code means for rendering said decrypted selected ones 



and said other unencrypted elements. 



1 8 . The computer progran 
computer-readable program C( 
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product according to Claim 16 or Claim 17, wherein said 
►de means for rendering further comprises computer-readable 

-93- 



program code means for rendering a 
elements in said output document which 
code means for decrypting said output document 



substitute text message for any of said selected encrypted 
cannot be decrypted by said computer-readable program 



19. The computer program product according to Claim 1, wherein said DTD is replaced by a 
schema. / 

20. The computer program product according to Claim 9, wherein said encryption 
requirement further comprises specincation of an encryption key length. 

21 . The computer program product according to Claim 8, wherein said inserted encryption 
tags may surround either values of said elements or values and tags of said elements. 

22. A system for enforcing security policy using style sheet processing in a computing 
environment, comprising: / 

an input document;/ 

one or more stored pohcy enforcement objects, wherein each of said stored policy 
enforcement objects spepfies a security policy to be associated with zero or more elements of said 
input document; / 

a Document Type Definition (DTD) corresponding to said input document, wherein said 
DTD has been augmented with one or more references to selected ones of said stored policy 
enforcement objedts; 

RSW9-99-073 / -94- 
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an augmented style sheet prooessor, wherein said augmented processor fiirther comprises: 
means for loading said pTD; 

means for resolving eac i of said one or more references in said loaded DTD; 
means for instantiating i aid policy enforcement objects associated with said 
resolved references; 

means for executing sehcted ones of said instantiated policy enforcement objects 
during application of one or more styl6 sheets to said input document, wherein a result of said 
means for executing is an interim tran ;ient document reflecting said execution; 

means for generating ( »ne or more random encryption keys; 

means for encrypting selected elements of said interim transient document, wherein 
a particular one of said generated ran dom encryption keys may be used to encrypt one or more of 
said selected elements, while leaving zero or more other elements of said interim transient 
document unencrypted; 

means for encrypting each of said one or more random encryption keys; and 

means for creating at encrypted output document comprising said zero or more 
other unencrypted elements, said se]|ected encrypted elements, and said encrypted encryption 
keys; 

means for receiving said endrypted output document at a client device; 

an augmented document processor, comprising means for decrypting said received output 
document for an individual user or process on said client device, thereby creating a result 
document; and 

means for rendering said result document on said client device. 
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23. The system according to Cmim 22, wherein said interim transient document comprises one 
or more encryption tags identifying dements needing encryption. 



24. The system according to Clain^ 22, wherein said input document is specified in an 
Extensible Markup Language (XML) flotation 

25. The system according to Claim 24, wherein said output document is specified in said XML 
notation. 

26. The system according to Clair 1 22, wherein said stored policy enfiDrcement objects fiirther 
comprise means for overriding a method for evaluating said elements of said input document, and 
wherein said means for executing fiirfher comprises means for executing said means for 
overriding. 

27. The system according to Claim 26, wherein said style sheets are specified in an Extensible 
Stylesheet Language (XSL) notation. 



28. The system according to Oaim 27, wherein said method is a value-of method of said XSL 



notation, and wherein said means 
value-of method. 



br overriding said value-of method is by subclassing said 
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29. The system according to Claim 26 or Claim 28, wherein: 
said overridden method comprises: 

means for generating encwption tags; and 

means for inserting said ge nerated encryption tags into said interim transient 
document to surround elements of said in erim transient document which are determined to 
require encryption; and 

said means for encrypting selected elements encrypts those elements surrounded by said 
inserted encryption tags. I 

30. The system according to Claim|22, wherein each of said instantiated policy enforcement 
objects further comprises: | 

a specification of a conununitv that is authorized to view said elements associated with 
said security policy; and | 

an encryption requirement for said elements associated with said security policy. 

3 1 . The system according to Claim 30, wherem said encryption requirement fiirther comprises 
specification of an encryption algoipthm. 

32. The system according to 
specification of an encryption al{ 



Claim 30, wherein said encryption requirement fiirther comprises 
3rithm strength value. 



33 . The system according to Claim 30, wherein: 
RSW9-99-073 I -97- 



2 said means for encrypting said encryption keys fixrther comprises means for encrypting a 

3 different version of each of said random encryption keys for each of one or more members of each 

4 of zero or more of said communities whict uses said encryption key, and wherein each of said 

5 different versions is encrypted using a pubjic key of said conmiunity member for which said 

6 different version was encrypted. 

1 34. The system according to Claim 30, wherein said encryption requh-ement may have a null 

2 value to indicate that said specified security policy does not require encryption. 
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35. The system according to Claimf 22, wherein said means for encrypting selected elements 
uses a cipher block chaining mode encryption process. 
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36. The system according to Claim 33, fiirther comprising: 

means for creating a key class for each unique community, wherein said key class is 
associated with each of said encrypted elements for which this unique community is an authorized 
viewer, and wherein said key class/comprises: (1) a strongest encryption requirement of said 
associated encrypted elements; (2i an identifier of each member of said unique community; and 
(3) one of said different versions pf said encrypted encryption key for each of said identified 
community members; and 

wherein: 

said means for generating said one or more random encryption keys generates a 
particular one of said random encryption keys for each of said key classes, and wherein each of 
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said different versions in a particular key class is encrypted from said generated encryption key 
generated for said key class; and 

said means for encrypting selected elements uses that one of said particular random 
encryption keys which was generated for sa d key class with which said selected element is 
associated. 



means for decrypting, for 



37. The system according to Claim 33 J wherein: 

said means for decrypting said outjput document further comprises: 

means for determining zeijo or more of said communities of which said individual 
user or process is one of said members; 

each of said determined communities, said different 
version of said random encrytion key which was encrypted using said public key of said one 
member, wherein said means for decrypting uses a private key of said one member which is 
associated with said public key which wiis used for encryption, thereby creating a decrypted key; 
and 

means for decrypting selected ones of said encrypted elements in said output 
document using said decrypted keys, wt erein said selected ones of said encrypted elements are 
those which were encrypted for one of said determined communities; and 
said means for rendering fiirther comprises: 



4 



means for rendering said decrypted selected ones and said other unencrypted 



elements. 
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38. The system according to Claim 36, wherein: 

said means for decrypting said outputldocument further comprises: 

means for determining zero or more of said key classes which identify said 
individual user or process as one of said members; 

means for decrypting, for each of said determined key classes, said diflFerent 
version of said random encrytion key in said I ey class which was encrypted using said public key 
of said one member, wherein said means for decrypting uses a private key of said one member 
which is associated with said public key whidh was used for encryption, thereby creating a 
decrypted key; and 1 

means for decrypting selected ones of said encrypted elements in said output 
document using said decrypted keys, wherein said selected ones of said encrypted elements are 
those which were encrypted for said key class; and 
said means for rendering further comprises: 

means for rendering said decrypted selected ones and said other unencrypted 
elements. I 

39. The system according to Claim 3y or Claim 38, wherein said means for rendering further 
comprises means for rendering a substitute text message for any of said selected encrypted 
elements in said output document which cannot be decrypted by said means for decrypting said 
output document. / 



40. The system according to Claii 
RSW9-99-073 / 
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4L The system according to Claim 30, wherein said encryption requirement fiirther comprises 
specification of an encryption key length. 



42, The system according to Claim 29, wherein said inserted encryption tags may surround 
either values of said elements or values and/tags of said elements. 



43. A method for enforcing security flblicy using style sheet processing in a computing 
environment, comprising the steps of 
providing an input document; 

providing one or more stored policy enforcement objects, wherein each of said stored 
policy enforcement objects specifies a security policy to be associate with zero or more elements 
of said input document; 

providing a Document Type Dbfinition (DTD) corresponding to said input document, 
wherein said DTD has been augmented vnth one or more references to selected ones of said 
stored policy enforcement objects; 

executing an augmented style 
loading said DTD; 

resolving each of said one or more references in said loaded DTD; 



sheet processor, fiirther comprising the steps of 



instantiating said pol 



references; 



cy enforcement objects associated with said resolved 
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executing selected ones of said instantiated policy enforcement objects during 
application of one or more style sheets to said input document, wherein a result of said executing 
selected ones step is an interim transient documentj reflecting said execution; 
generating one or more random encryption keys; 

encrypting selected elements of saili interim transient document, wherein a 
particular one of said generated random encryptidn keys may be used to encrypt one or more of 
said selected elements, while leaving zero or mo^e other elements of said interim transient 
document unencrypted; 

encrypting each of said one or miore random encryption keys; and 
creating an encrypted output ddcument comprising said zero or more other 
unencrypted elements, said selected encrypted elements, and said encrypted encryption keys; 
receiving said encrypted output docunjent at a client device; 
executmg an augmented document pr(fcessor, comprising the step of decrypting said 
received output document for an individual u|;er or process on said client device, thereby creating 
a resuh document; and 

rendering said result document on said client device. 



44. The method according to Claim 43, 



vherein said interim transient document comprises 



one or more encryption tags identifying elerients needing encryption 



45 . The method according to Claim 43 , 
Extensible Markup Language (XML) notation 



wherein said input document is specified in an 
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46. The method according to Claim 45, wherein said output document is specified in said 



XML notation. 



47. The method according to Claim 43, wherein said stored policy enforcement objects further 
comprise executable code for overriding a methoa for evaluating said elements of said input 
document, and wherein said executing selected oi|ies step fiirther comprises overriding said 
method for evaluating. 



48. The method according to Claim 47, whe|-ein said style sheets are specified in an Extensible 
Stylesheet Language (XSL) notation. 

49. The method according to Claim 48, wh srein said method is a value-of method of said XSL 



notation, and wherein said step of overriding 
method. 



id value-of method is by subclassing said value-of 



50. The method according to Clahn 47 of Claim 49, wherein: 
said step of overriding fiirther compipses the steps of 
generating encryption tags; ind 

inserting said generated encKl>tion tags into said interim transient document to 



surround elements of said interim transieni 



and 
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said step of encrypting selected elements encryofs those elements surrounded by said 
inserted encryption tags. / 

5 1 . The method according to Claim 43, wheifein each of said instantiated policy enforcement 
objects fiirther comprises: / 

a specification of a community that is/authorized to view said elements associated with 
said security policy; and / 

an encryption requirement for saia elements associated with said security policy. 

52. The method according to Claim 5 1 , wherein said encryption requirement further 
comprises specification of an encryraion algorithm. 

53 . The method according to A^laim 5 1 , wherein said encryption requirement fiirther 
comprises specification of an enqryption algorithm strength value. 

54. The method according to Claim 5 1 , wherein: 

said step of encryptmg said encryption keys fiirther comprises the step of encrypting a 
different version of each or said random encryption keys for each of one or more members of each 
of zero or more of said c6nmiunities which uses said encryption key, and wherein each of said 
different versions is encrypted using a public key of said community member for which said 
different version was encrypted. 
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1 55. The method according to Claim 51, wherein said encryption requirement may have a null 

2 value to indicate that said specified security policy does not require encryption, 

1 56, The method according to Clahn 43, wherein said step of encrypting selected elements uses 

2 a cipher block chaining mode encryption process. 

1 57, The method according to Claim 54, finther comprising the step of: 

2 creating a key class for each unique cpnununity, wherein said key class is associated with 

3 each of said encrypted elements for which tnis unique community is an authorized viewer, and 

/ 

4s wherein said key class comprises: (1) a strongest encryption requirement of said associated 

Si^U encrypted elements; (2) an identifier of each member of said unique community; and (3) one of 

6+: said different versions of said encrypted encryption key for each of said identified community 

I „e„.e.;a. / 

8=1 wherein: / 

\U I 

9^ said step of generating/said one or more random encryption keys generates a 

- — / 
'=w / 
" / 

10^ particular one of said random encryption keys for each of said key classes, and wherein each of 

1 1 said different versions in a particular key class is encrypted fi-om said generated encryption key 

12 generated for said key class; and / 

13 said step of encryptmg selected elements uses that one of said particular random 

14 encryption keys which was generaied for said key class with which said selected element is 

15 associated. / 



I 



1 58. The method according to Claim 54, wherein: 

2 said step of decrypting said output document further comprises the steps of: 

3 determining zero or more of said communities of which said individual user or 

4 process is one of said members; / 

5 decrypting, for each of said/determined communities, said different version of said 

6 random encrytion key which was encrypted using said public key of said one member, wherein 

7 said step of decrypting uses a private key of said one member which is associated with said public 

8 key which was used for encryption, thereby creating a decrypted key; and 

9 decrypting selected ones of said encrypted elements in said output document using 
10,g said decrypted keys, wherein said selected ones of said encrypted elements are those which were 

1 tu encrypted for one of said determinea communities; and 
12^ said step of rendering fiirthe^ comprises the step of: 

if^ rendering said decrypted selected ones and said other unencrypted elements. 

59. The method according to /Claim 57, wherein: 
2^ said step of decrypting said output document further comprises the steps of 

3 determining zero or more of said key classes which identify said individual user or 

4 process as one of said members; 

5 decrypting, fon each of said determined key classes, said different version of said 

6 random encrytion key in saidr key class which was encrypted using said public key of said one 

7 member, wherein said step of decrypting uses a private key of said one member which is 
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associated with said public key which was ijsed for encryption, thereby creating a decrypted key; 
and 

decrypting selected ones of s aid encrypted elements in said output document using 



said decrypted keys, wherein said selected 
encrypted for said key class; and 

said step of rendering further com] 



ones of said encrypted elements are those which were 



ses the step of 



rendering said decrypted selected ones and said other unencrypted elements. 

60. The method according to Claim Sjs or Claim 59, wherein said step of rendering fiirther 
comprises the step of rendering a substitute text message for any of said selected encrypted 
elements in said output document whicl^ cannot be decrypted by said step of decrypting said 
output document. 

61 . The method according to Claii^ 43, wherein said DTD is replaced by a schema. 

62. The method according to Claim 51, wherein said encryption requirement fiirther 
comprises specification of an encryption key length. 



63. The method according to Qaim 50, wherein said inserted encryption tags may surround 
either values of said elements or \/alues and tags of said elements. 
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